Catching 'phishers' a WholeSecurity sport

WholeSecurity, an Internet security firm in Austin, Texas, has released a program to help companies combat a growing form of online fraud known as "phishing," the company said Monday.

Phishing starts with a forged e-mail apparently from a legitimate company, such as eBay or Citibank, telling the recipient that his or her account information has expired--or something of the sort. The recipient is instructed to click on a link that leads to a fake Web site. The site asks for confidential data such as credit card numbers.

WholeSecurity is among a number of companies developing technology to alert consumers to phishing fraud. Its program, called Web Caller-ID, is already in use at eBay. The online auctioneer has incorporated the technology into its Internet toolbar with a feature called Account Guard. It detects fraud sites purporting to be connected to eBay and its PayPal subsidiary with 98 percent accuracy, according to WholeSecurity. The tool notifies users if they enter such a site.

Hundreds of thousands of eBay members have downloaded the free program since the company launched it in February, an eBay representative said.

Now WholeSecurity is trying to license the software to other companies doing business online, allowing them to incorporate it into their toolbars or distribute to their customers as a Web browser plug-in. Banks and other financial institutions are one of WholeSecurity's target markets for the product, said Scott Olson, WholeSecurity's senior vice president of marketing.

The program analyzes Web addresses for clues that might lead to fraudulent sites. For instance, if the URL is long and convoluted, or if it consists of a long string of numbers separated by periods--an IP address--there's a good chance it's a false site, Olson said. The program also checks whether the domain name was registered recently or its operator is using a free Web hosting service--all tell-tale signs of phishing activity, Olson said.